https://git.schokokeks.org/derivepassphrase.git/tree/269369a694a74c6d509755f82b32407cfcc32420 2025-08-03T21:47:37+02:00 tag:gitlist.org,2012:commit/269369a694a74c6d509755f82b32407cfcc32420 2025-08-03T21:47:37+02:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/af222512798d18348bd27f5a75b2c378ff204c40 2025-08-03T20:45:36+02:00 Marco Ricci software@the13thletter.info <pre>* fix-version-number: Fix the automatic version increment in `__init__.py` &lt;/pre&gt; tag:gitlist.org,2012:commit/bf55246b94b88068d589977aada6ce60c80dbec5 2025-08-03T20:45:21+02:00 Marco Ricci software@the13thletter.info <pre>Despite using software (`bump-my-version`) to automatically update all version number references throughout the project, I forgot to include a rule to update the version recorded in the code itself: `derivepassphrase/__init__.py:__version__`. Thus, version 0.5 and version 0.5.1 have been released while both claiming to be version "0.5 alpha 1 (development build 1)". Oops. &lt;/pre&gt; tag:gitlist.org,2012:commit/608a84da61fabd375cf2859d21acfdb5d5f4b607 2025-08-03T20:20:55+02:00 Marco Ricci software@the13thletter.info <pre>* pageant-068-080-keys: Add a script to query test key signatures and derived passphrases from an agent Add Pageant 0.68–0.80 signatures and derived passphrases for DSA keys Harmonize syntax for the test key definitions &lt;/pre&gt; tag:gitlist.org,2012:commit/07abfb9a325939fbb8f06378b1819bbfe0cf171a 2025-08-03T20:07:56+02:00 Marco Ricci software@the13thletter.info <pre>The script attempts to upload each test key to the running SSH agent, then queries the agent for the signature of the `vault` UUID and computes the derived passphrase. If that works, then it prints the test key, augmented by the new signature and new derived passphrase, in a `repr`-compatible representation that could principally directly be included into the `tests` module. (The real code in the `tests` module basically only differs in whitespace: the hex codes that make up the signatures and the key data are wrapped manually, in a manner that highlights their structure but which is difficult/tedious to produce automatically.) The script has only been tested on UNIX, and because it imports the `tests` module directly, it should be run in a compatible environment, e.g., the `hatch-static-analysis` environment. &lt;/pre&gt; tag:gitlist.org,2012:commit/ea2c3cb5d4ca09932f947922c91baaa906daeb25 2025-08-03T19:59:19+02:00 Marco Ricci software@the13thletter.info <pre>I generated these signatures and derived passphrases against a manually compiled instance of Pageant 0.80. (Because, as already hinted at in d2bb555fd898d63b413b37dc2bd1374d82daeffe, it is somewhat hard to obtain pre-compiled versions of Pageant with a known security hole. It turned out to be much easier to compile Pageant ourselves than to find an unpatched PuTTY distribution.) (These test vectors are not actually in active use yet.) &lt;/pre&gt; tag:gitlist.org,2012:commit/10f92193e28b82f843b2ae027cee89935548e842 2025-08-03T19:35:25+02:00 Marco Ricci software@the13thletter.info <pre>No functional change. But harmonizing the syntax makes it easier to compare machine-generated output with the recorded test vectors for the test keys. &lt;/pre&gt; tag:gitlist.org,2012:commit/27a3cf661d83a37f54ed358893ce24345a349c31 2025-07-27T23:12:36+02:00 Marco Ricci software@the13thletter.info <pre>* test-suite-cleanups: Comment on coverage exclusions, in shorthand Provide more deterministic signatures for the test keys Fix, and test for, the consistency of the SSH test keys Fix some test suite setup mistakes &lt;/pre&gt; tag:gitlist.org,2012:commit/c5c882a238537077279b1ea8ad0076b1d812cc85 2025-07-26T17:35:21+02:00 Marco Ricci software@the13thletter.info <pre>Add shorthand codes for different types of coverage exclusions, explained in `pyproject.toml` in the `tool.coverage` section, because reasons for excluding code branches from coverage tend to fall into a handful of common categories. Also add explicit coverage exclusion patterns for dummy classes which are never intended to actually be called, such as the `_types._Omitted` class (for styling function signatures in the generated documentation) and the two `_DummyModule` classes (which stub out missing dependencies to appease the type checker). A very few coverage exclusions were actually unnecessary or nonsensical, and have been rectified. &lt;/pre&gt; tag:gitlist.org,2012:commit/d2bb555fd898d63b413b37dc2bd1374d82daeffe 2025-07-26T16:45:41+02:00 Marco Ricci software@the13thletter.info <pre>Record and provide more deterministic signatures for the test keys, where feasible. In particular, for DSA and ECDSA keys, support recording the RFC 6979 deterministic DSA signatures, as implemented by Pageant. In particular, this entails that the `expected_signature` and `derived_passphrase` fields of the test keys need to change to accomodate the new shape of the data. For the existing DSA and ECDSA keys, RFC 6979 signatures and expected master passphrases are also provided. Providing the Pageant 0.68–0.80 deterministic signatures and expected master passphrases however is not quite so straight-forward: because the signature class is the subject of CVE-2024-31497, Pageant < 0.81 is considered to have a security hole, and thus it is hard to obtain pre-compiled, unpatched installations of Pageant to compute the signatures/master passphrases against. &lt;/pre&gt;